Information Security Standard
Information Security Standards (ISS) are developed to support and enforce both District Administrative Regulations and the California Community College Information Security Standard.
I. Purpose and Scope
The objective of this Information Security Standard is to describe policies for secure operations of Long Beach Community College District’s (LBCCD) information and systems. The following topics are covered:
- Virus Management
- Patches and Updates
- Software and Asset Management
- Backup and Media
- Third-Party Management
5.1 Vendor Risk Management Procedure
5.2 HIPAA Third-Party Agreements
5.3 PCI Third-Party Agreements
This is one of a series of Information Security Standards maintained by the District Information Technology (IT) department designed to protect LBCCD information systems.
1. Applicability of Assets
This Information Security Standard applies to all electronic assets that are owned or leased by LBCCD, including but not limited to:
- Desktop and Laptop Computers
- Mobile Devices
- Network Infrastructure
2. Applicability to all Employees and Volunteers
This Information Security Standard applies to all Board of Trustees authorized/ratified full-time and part-time regular Academic and Classified employees, Substitutes, Short-term (Temporary) staff, Professional Experts, College Work Study students, Student Help, and Volunteers who are employed in the LBCCD for the purpose of meeting the needs of students.
3. Applicability to External Parties
This Information Security Standard applies to all external parties, including but not limited to LBCCD business partners, vendors, suppliers, outsource service providers, and other third-party entities with access to LBCCD networks and system resources.
II. Vulnerability Management
All applicable systems must be configured with District IT-approved anti-virus software. The software must be configured to scan for viruses in real-time. Anti-virus programs must be capable of detecting, removing, and protecting against all known types of malicious software.
All systems with anti-virus software must be configured to update virus signatures on a daily basis.
End users must not be able to configure or disable the software.
All anti-virus mechanisms must generate audit logs to aid District IT and campus IT in detecting and responding to virus outbreaks.
LBCCD must ensure that all system components and software are protected from known vulnerabilities by installing the latest vendor-supplied firmware, security patches, hotfixes, and service packs found to be applicable to LBCCD computing resources.
District IT and campus IT system administrators must keep up with vendor changes and enhancements. New or modified non-urgent patches must be scheduled and installed within one month of release. Urgent patches that address security vulnerabilities must be installed as soon as feasible without introducing instability or impacting service availability.
Where feasible, patches must be tested in a test environment prior to production deployment. Testing must ensure that systems function correctly.
Changes to servers and networks should be tested prior to implementation and follow normal change control management procedures.
District IT and campus IT must be alert to identifying new security vulnerabilities by monitoring available vendor or industry security sources. Hardening and configuration standards must be updated as soon as practical after new vulnerabilities are found.
Administrative Regulations on Computer and Network Use 6006 sets forth usage policies for critical technologies that include e-mail usage and Internet usage and define proper use of these technologies. District IT may also issue mobile devices (such as laptops or removable storage devices) and will maintain a list of issued devices and personnel with access to assist in determining the owner, contact information, and purpose.
District IT and campus IT will maintain a list of company-approved products and software.
Users must store all critical files on the local area network or approved cloud-storage vendor so that they can be properly backed up. If an end-user chooses to store essential data elsewhere, it must be approved by District IT management or campus IT management and the user is for ensuring the data can be recovered.
Any media containing backup data that is stored on-site must be classified so that operations personnel can determine the sensitivity of the data stored on tape or other formats. Refer to the IT Data Classification Standard for the classification and handling of information.
Any backup media that must be transferred that contains restricted information must be sent by a secured courier or another delivery method that can be accurately tracked. Management must approve any and all media that is moved from a secured area (especially when media is distributed to individuals).
Strict control must be maintained over the storage and accessibility of backup media. Inventory logs of all media must be maintained and reviewed at least annually.
Media must be destroyed when it is no longer needed for business or legal reasons. Data retention requirements must be documented.
The District Disaster Recovery Standard outlines the strategy and basic procedures to enable the Long Beach Community College District (LBCCD) to withstand the prolonged unavailability of critical information and systems and provide for the recovery of District Information Technology Services (ITS) in the event of a disaster.
A third-party user is a non-LBCCD employee or entity that is authorized to access LBCCD systems and networks. Examples of third-party users include consultants, contractors, temporary employees, interns, vendors, business partners, service providers, and suppliers of products, services, or information.
Network connections between the LBCCD environment and third parties must follow agreed-upon security procedures and/or confidentiality requirements. Such connections and other third-party access to LBCCD’s systems must be governed by formal written agreements or contracts.
These agreements may require signed Confidentiality and Non-Disclosure statements restricting the subsequent usage and dissemination of LBCCD information.
Vendors or other third parties with access to LBCCD-owned or leased equipment or systems housed in the LBCCD data center are restricted to only the specific equipment and systems they are authorized to maintain or monitor and are subject to District Access Control Standards.
5.1 Vendor Risk Management Procedure
Third-party systems often have direct access to institutional data, networks, and other information systems, thereby presenting an inherent risk to the District. The inclusion and consideration of information security controls is, therefore, an integral part of purchasing and maintaining new and existing third-party systems.
As a result, California community colleges are subject to several federal and state information-security mandates. One such requirement of the Gramm-Leach-Bliley Act (GLBA) is to comply with the FTC Safeguards Rule (16 CFR §314.4[d]), which states that institutions shall:
Oversee service providers, by:
- Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and
- Requiring your service providers by contract to implement and maintain such safeguards.
The District IT Vendor Risk Assessment Procedure details the process for engaging service providers including proper due diligence prior to beginning the engagement. A list of all third-party providers must be maintained.
5.2 HIPAA Third-Party Agreements
HIPAA regulations specify that formal written agreements must be established with each party (often considered a “business associate”) who will access protected health information (PHI). The parties must agree to protect the integrity and confidentiality of the information being exchanged, and the agreement would clearly define the responsibilities of both parties.
- LBCCD security policies and security mandates, including any fines and penalties that may be incurred for HIPPA or PCI non-compliance or lack of compliance with the regulations
- Ownership and acceptable uses of PHI and other classified information
- Requirements for business continuity by the third party, in the event of a major disruption, disaster, or failure
- Audit provisions for LBCCD or LBCCD-approved entities in the event of a data compromise. Provisions to ensure that LBCCD, or an LBCCD-approved auditor, will be provided with full cooperation and access to conduct a thorough security review after a security intrusion. The review will validate compliance with LBCCD standards and HIPAA regulators for protecting PHI and other LBCCD information.
- Security of PHI and LBCCD information during third-party contract terminations or data transfers.
5.3 PCI Third-Party Requirements
LBCCD information technology resources shall not be used to process, store, or transmit payment card data. To process online payment card transactions, Business Units are required to use vendors that are PCI DSS compliant and provide the District with the vendor’s official attestation of compliance.